diff --git a/.gitignore b/.gitignore index fc7de855..02903bf3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,9 @@ -SOURCES/almalinuxsecurebootca0.cer SOURCES/grub-2.02.tar.xz +SOURCES/redhatsecureboot301.cer +SOURCES/redhatsecureboot502.cer +SOURCES/redhatsecureboot601.cer +SOURCES/redhatsecureboot701.cer +SOURCES/redhatsecurebootca3.cer +SOURCES/redhatsecurebootca5.cer SOURCES/theme.tar.bz2 -SOURCES/unifont-5.1.20080820.pcf.gz +SOURCES/unifont-5.1.20080820.pcf.gz \ No newline at end of file diff --git a/.grub2.metadata b/.grub2.metadata new file mode 100644 index 00000000..c0c9b649 --- /dev/null +++ b/.grub2.metadata @@ -0,0 +1,9 @@ +3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz +4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer +3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer +039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer +e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer +cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer +e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer +cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2 +87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz diff --git a/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch new file mode 100644 index 00000000..8c7d4cff --- /dev/null +++ b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Thu, 19 Sep 2024 10:15:13 -0600 +Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit + +Stricker permissions are required on the grub.cfg file, resulting in +at most 0600 owner's file permissions. This resolves conflicting +requirement permissions on grub2-pc package's grub2.cfg file. + +Signed-off-by: Leo Sandoval +--- + util/grub-mkconfig.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index a1c00776d..573004915 100644 +--- a/util/grub-mkconfig.in ++++ b/util/grub-mkconfig.in +@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg +- oldumask=$(umask); umask 077 ++ oldumask=$(umask); umask 177 + cat ${grub_cfg}.new > ${grub_cfg} + umask $oldumask + rm -f ${grub_cfg}.new diff --git a/SOURCES/20-grub.install b/SOURCES/20-grub.install index dd2018aa..2bb65b87 100755 --- a/SOURCES/20-grub.install +++ b/SOURCES/20-grub.install @@ -90,13 +90,10 @@ case "$COMMAND" in [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR" BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}" BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf" - if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then - cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $? - else - mkbls "${KERNEL_VERSION}" \ - "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ - >"${BLS_TARGET}" - fi + mkbls "${KERNEL_VERSION}" \ + "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \ + >"${BLS_TARGET}" + command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}" LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')" INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')" diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index 8baf627a..229a82ac 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -285,13 +285,7 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools-extra = %{evr} \ Requires: %{name}-tools = %{evr} \ -Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \ Provides: %{name}-efi = %{evr} \ -Provides: almalinux(grub2-sig-key) = 202303 \ -%{expand:%%ifarch x86_64 \ -Conflicts: shim-x64 <= 15.6-1.el8.alma \ -Conflicts: shim-ia32 <= 15.6-1.el8.alma \ -%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -546,7 +540,7 @@ install -D -m 700 unicode.pf2 \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ -ln -sf ../efi/EFI/%{efidir}/grubenv \\\ +ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\ $RPM_BUILD_ROOT/boot/grub2/grubenv \ cd .. \ %{nil} @@ -595,14 +589,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig \ touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub \ ln -sf ../default/grub \\\ ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub \ -touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg \ +touch grub.cfg \ +install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/ \ %{nil} %define define_legacy_variant_files() \ %{expand:%%files %{1}} \ %defattr(-,root,root,-) \ %config(noreplace) %{_sysconfdir}/%{name}.cfg \ -%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg \ +%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg \ %dir %attr(0700,root,root)/boot/loader/entries \ %ifarch ppc64le \ %dir %{_libdir}/grub/%{2}/ \ diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 505a35f6..b4d6e2f4 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -588,3 +588,4 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch +Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch \ No newline at end of file diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index e43e302b..b338b5f5 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,4 +1,3 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ -grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com -grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mail:security@almalinux.org +grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index bc81f1e6..fbad1422 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -1,7 +1,3 @@ -%global efi_vendor almalinux -%global efidir almalinux -%global efi_esp_dir /boot/efi/EFI/%{efidir} - %undefine _hardened_build %global tarversion 2.02 @@ -11,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 156%{?dist}.alma.1 +Release: 158%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -28,29 +24,31 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: almalinuxsecurebootca0.cer +Source13: redhatsecurebootca3.cer +Source14: redhatsecureboot301.cer +Source15: redhatsecurebootca5.cer +Source16: redhatsecureboot502.cer +Source17: redhatsecureboot601.cer +Source18: redhatsecureboot701.cer Source19: sbat.csv.in %include %{SOURCE1} %if 0%{with_efi_arch} %define old_sb_ca %{SOURCE13} -%define old_sb_cer %{SOURCE13} -%define old_sb_key almalinuxsecurebootca0 -%define sb_ca %{SOURCE13} -%define sb_cer %{SOURCE13} -%define sb_key almalinuxsecurebootca0 +%define old_sb_cer %{SOURCE14} +%define old_sb_key redhatsecureboot301 +%define sb_ca %{SOURCE15} +%define sb_cer %{SOURCE16} +%define sb_key redhatsecureboot502 %endif %ifarch ppc64le -%define old_sb_cer %{SOURCE13} -%define sb_cer %{SOURCE13} -%define sb_key almalinuxsecurebootca0 +%define old_sb_cer %{SOURCE17} +%define sb_cer %{SOURCE18} +%define sb_key redhatsecureboot702 %endif -# AlmaLinux: keep upstream EVR for RHEL SBAT entry -%define rhel_version_release $(echo %{version}-%{release} | sed 's/\.alma.*//') - # generate with do-rebase %include %{SOURCE2} @@ -168,7 +166,7 @@ This subpackage provides tools for support of all platforms. mkdir grub-%{grubefiarch}-%{tarversion} grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz -sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" -e "s,@@RHEL_VERSION_RELEASE@@,%{rhel_version_release},g" \ +sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \ %{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} %endif @@ -312,6 +310,19 @@ if [ "$1" = 2 ]; then /sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || : fi +%posttrans common +set -eu + +GRUB_HOME=/boot/%{name} + +if test -f ${GRUB_HOME}/grub.cfg; then + # make sure GRUB_HOME/grub.cfg has 600 permissions + GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg) + if ! test "${GRUB_CFG_MODE}" = "600"; then + chmod 0600 ${GRUB_HOME}/grub.cfg + fi +fi + %triggerun -- grub2 < 1:1.99-4 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades # from the affected grub2 packages, we first back up the files in triggerun and @@ -343,20 +354,6 @@ if [ "$1" = 0 ]; then /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || : fi -%if 0%{with_efi_arch} -%posttrans %{package_arch} -if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then - grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : -fi -%endif - -%if 0%{with_alt_efi_arch} -%posttrans %{alt_package_arch} -if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then - grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : -fi -%endif - %files common -f grub.lang %dir %{_libdir}/grub/ %dir %{_datarootdir}/grub/ @@ -526,8 +523,13 @@ fi %endif %changelog -* Wed Apr 10 2024 Andrew Lukoshko - 2.02-156.alma.1 -- Debrand for AlmaLinux +* Thu Sep 19 2024 Leo Sandoval - 2.02-158 +- grub-mkconfig.in: turn off executable owner bit +- Resolves: #RHEL-58835 + +* Wed Aug 14 2024 Leo Sandoval - 2.02-157 +- 20-grub-install: fix SELinux security type context for BLS +- Resolves: #RHEL-4395 * Tue Feb 20 2024 Nicolas Frayer - 2.02-156 - fs/ntfs: OOB write fix